Back to skill

Security audit

Danger Guard

Security checks across malware telemetry and agentic risk

Overview

Danger Guard is a security-focused skill, but it asks users to enter their sudo/admin password, stores a reusable SHA-256 verifier, changes shell behavior, and can log or send sensitive command details.

Review carefully before installing. This skill is not just a prompt-level safety rule: it may ask for your sudo/admin password, persist a password-derived hash, modify shell startup files, install aliases/hooks, log command history, and send incident alerts through chat or email. Use it only if you accept those tradeoffs, and prefer a version that avoids OS-password collection and uses native authorization with clear log redaction and uninstall controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The document promises that dangerous commands will be stopped and not executed, but elsewhere the shell wrapper explicitly runs the blocked command after password/hash verification. This mismatch can cause operators to trust the skill as a pure guardrail when it actually becomes an approval gate for destructive execution, increasing the chance of accidental system damage.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The skill claims shell-wrapper protection for all terminal commands, but the implementation only works when commands are routed through the wrapper or aliases. This creates a false sense of comprehensive protection, allowing dangerous commands to bypass the mechanism entirely if invoked directly or through unwrapped tools.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The whitelist states that git clean and git reset do not trigger interception, while the blacklist marks them as dangerous and requiring confirmation. Contradictory policy definitions can lead to inconsistent enforcement and user misunderstanding around destructive repository actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The emergency protocol says the skill will record the last 50 commands to a security-breach file, but the README does not clearly warn users that potentially sensitive command history, arguments, file paths, secrets, or operational context may be persisted to disk during an incident. In a security tool, silently expanding data collection during a breach can create secondary privacy and secret-exposure risks if the log file is later accessed by other users, malware, backups, or support tooling.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README describes sending alerts through chat and optional email but does not clearly disclose that incident details may leave the local system and be transmitted to third-party messaging or email services. For a breach-response feature, off-system notification can expose sensitive command content, host details, or security events to external providers or compromised channels.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill requests a sudo/administrator password surrogate, stores a reusable SHA-256 hash, and sends command metadata to external alerting channels without prominent up-front warning about credential and privacy risks. Unsalted password hashes are offline-crackable, and alert contents may leak sensitive command context or incident data to third parties.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The onboarding flow performs persistent system modifications such as writing files, changing PATH behavior, and editing shell startup files without strong warning about side effects or rollback guidance. This can unexpectedly alter command execution semantics and degrade system usability or safety.

Ssd 3

Medium
Confidence
89% confidence
Finding
The emergency protocol says the system will log the last 50 commands to a file and send alerts after a trigger phrase. Command history can contain secrets, file paths, tokens, credentials, or sensitive operational details, so retaining and transmitting it increases exposure during an already sensitive incident.

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
### 配置说明

- **工作原理**: Shell wrapper 拦截指定的命令,检查是否匹配危险模式,如果匹配则要求输入 sudo 密码验证
- **密码验证**: 使用 SHA-256 哈希比对,密码存储在 `~/.danger-guard.json`(由 OpenClaw 配置)
- **日志记录**: 所有拦截和执行的命令记录在 `~/.danger-guard.log`
- **最大尝试次数**: 密码验证失败 3 次后拦截命令
Confidence
73% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
检测到系统:macOS

第 1 步:输入 sudo 密码(开机密码)
  → 以 SHA256 哈希存储,不明文保存

第 2 步:邮件告警?(可选)
Confidence
93% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
Detected system: macOS

Step 1: Enter your sudo password (login password)
  → Stored as SHA256 hash, never plaintext

Step 2: Email alerts? (optional)
Confidence
91% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
### 2. 读取配置
从 `memory/danger-guard-config.json` 读取:
- `os`: 操作系统类型
- `sudo_hash`: sudo 密码哈希
- `alert_email`: 告警邮箱(可选)
- `email_method`: 邮件方式(none/native/resend)
Confidence
97% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
echo "🛡️ Danger Guard 拦截!"
    echo "检测到危险命令: $CMD"
    echo ""
    echo "输入 sudo 密码确认执行:"
    read -s -p "密码: " password
    echo
Confidence
99% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
- 第二步: 配置常用 AI 工具(Claude Code、Codex 等)
   - 第三步: 启用 OpenClaw Skill(飞书告警)

3. **sudo 密码以 SHA256 哈希存储**
   - 不明文保存密码
   - 哈希比对后立即使用,不缓存
Confidence
97% confidence
Finding
sudo

Tool Parameter Abuse

High
Category
Tool Misuse
Content
### 注意事项

⚠️ **重要**: Shell wrapper 会拦截所有通过别名保护的命令,即使不是危险操作。例如:
- `rm file.txt` 会被拦截(即使只是删除单个文件)
- `git push` 会被拦截(即使不是 force push)

如果这影响了你的工作流程,可以:
Confidence
83% confidence
Finding
rm file.txt` 会被拦截(即使只是删除单个文件) - `git push` 会被拦截(即使不是 force push) 如果这影响了你的工作流程,可以: 1. 减少别名数量,只保护最危险的命令 2. 使用 `command rm file.txt` 绕过 wrapper 3. 临时禁用:`unalias rm` --- ## Git Hooks 为 Git 仓库配置 pre-pu

Tool Parameter Abuse

High
Category
Tool Misuse
Content
# 检查是否有 force push
  if [[ "$1" == *"--force"* ]] || [[ "$1" == *"-f"* ]]; then
    echo "🛡️ Danger Guard: Force push 已拦截"
    echo "如果确实需要,请使用: git push --force-with-lease"
    exit 1
  fi
fi
Confidence
91% confidence
Finding
git push --force

VirusTotal

4/56 vendors flagged this skill as malicious, and 52/56 flagged it as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.